CVE-2025-1940UI Misrepresentation / Clickjacking in Mozilla Firefox

CWE-1021UI Misrepresentation / ClickjackingCWE-451User Interface (UI) Misrepresentation of Critical Information7 documents7 sources
Severity
7.1HIGHNVD
EPSS
0.3%
top 48.93%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Mozilla Firefox
Timeline
PublishedMar 4

Description

A select option could partially obscure the confirmation prompt shown before launching external apps. This could be used to trick a user in to launching an external app unexpectedly. *This issue only affects Android versions of Firefox.*. This vulnerability was fixed in Firefox 136.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:NExploitability: 2.8 | Impact: 4.2

Affected Packages1 packages

NVDmozilla/firefox< 136.0

🔴Vulnerability Details

3
CVEList
Android Intent confirmation prompt tapjacking using Select options2025-03-04
OSV
CVE-2025-1940: A select option could partially obscure the confirmation prompt shown before launching external apps2025-03-04
GHSA
GHSA-gqx4-7r84-32m6: A select option could partially obscure the confirmation prompt shown before launching external apps2025-03-04

📋Vendor Advisories

3
Red Hat
firefox: Android Intent confirmation prompt tapjacking using Select options2025-03-04
Debian
CVE-2025-1940: firefox - A select option could partially obscure the confirmation prompt shown before lau...2025
Mozilla
Mozilla Foundation Security Advisory 2025-14: CVE-2025-1940
CVE-2025-1940 — UI Misrepresentation / Clickjacking | cvebase